Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! ΞΞ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

@JTD121Do you get that error when running cryptostorm_setup.exe? If so, you should exit the widget before you begin the installation. Windows can't overwrite client.exe if it's already running. Although, the installation should detect if the widget is already running and ask if it's okay to close it before attempting to overwrite it.

@JTD121Do you get that error when running cryptostorm_setup.exe? If so, you should exit the widget before you begin the installation. Windows can't overwrite client.exe if it's already running. Although, the installation should detect if the widget is already running and ask if it's okay to close it before attempting to overwrite it.

@ATurtleIf anyone is still using XP, they clearly don't care about security.You could argue that Microsoft updates doesn't equate to security (which is accurate), but since XP hasn't received security patches for several years now, using it under any pretense is just plain dumb.Maybe in a system/VM that's offline, or behind such a restrictive firewall that nothing's possible... but then what's the point?

@ATurtleIf anyone is still using XP, they clearly don't care about security.You could argue that Microsoft updates doesn't equate to security (which is accurate), but since XP hasn't received security patches for several years now, using it under any pretense is just plain dumb.Maybe in a system/VM that's offline, or behind such a restrictive firewall that nothing's possible... but then what's the point?

@KungFuCheXP is no longer supported. Anyone still on XP will have to stay on the older v2.22, which won't receive any new updates, unless some horribly vulnerable issue is discovered in the openvpn/openssl that version uses.It's usually a bad idea to provide backwards compatibility for an OS version that stopped receiving security updates several years ago.I do plan on doing more tests regarding the different ways internet can be disconnected and how to detect it so the widget responds accordingly.Same goes for the different CPU features and architectures, and the systray issues that seem to vary by Windows version.

Just built a new widget v3.0.0.72 that includes code that now saves that connect timeout value (Under "Options" -> "Connecting") so it's remembered on restart.

@KungFuCheXP is no longer supported. Anyone still on XP will have to stay on the older v2.22, which won't receive any new updates, unless some horribly vulnerable issue is discovered in the openvpn/openssl that version uses.It's usually a bad idea to provide backwards compatibility for an OS version that stopped receiving security updates several years ago.I do plan on doing more tests regarding the different ways internet can be disconnected and how to detect it so the widget responds accordingly.Same goes for the different CPU features and architectures, and the systray issues that seem to vary by Windows version.

UPDATE: a cable fault was determined to be the cause of hang at splash screen (need to trap PHY errors)

Also noticed some state corruption related to suspend/resume. Observed the following issues:

- widget appears in tray but connection is not routed through VPN- widget disappears from tray but VPN connnection still active- widget crashes on exit request and clearnet connectivity is not restored (but can reconnect to VPN if widget is relaunched)

PS - forum says you can edit your posts but edit button does not appear at the next login

[b]UPDATE: a cable fault was determined to be the cause of hang at splash screen[/b] (need to trap PHY errors)

Also noticed some state corruption related to suspend/resume. Observed the following issues:

- widget appears in tray but connection is not routed through VPN- widget disappears from tray but VPN connnection still active- widget crashes on exit request and clearnet connectivity is not restored (but can reconnect to VPN if widget is relaunched)

some good progress is being made on the widget here but i see a major issue on some 32 bit platforms:

client.exe hangs at splash screen with high CPU load(the initial window with the controls does not appear)then it constantly retries some I/O read operation - looks like it might involve a call to mswsock.dll (WSPStartup)this produces a memory leak: client.exe allocates +1 MB every 2 seconds until system haltsnothing related is seen in event log

not really looking for old platform support - just pointing out that v2 was working so if you are going to fail now lets make a clean exit

on other platforms where it works, i see some issues with suspend / resume:upon resuming client.exe is still running and it appears in tray - but nothing happens when you click on it (and https://cryptostorm.is/test fails)so the user must manually test connectivity every time the machine wakesneed some way to fail safe (= no access without VPN)

some good progress is being made on the widget here but i see a major issue on some 32 bit platforms:

[b]client.exe[/b] hangs at splash screen with high CPU load(the initial window with the controls does not appear)then it constantly retries some I/O read operation - looks like it might involve a call to mswsock.dll (WSPStartup)this produces a memory leak: client.exe allocates +1 MB every 2 seconds until system haltsnothing related is seen in event log

not really looking for old platform support - just pointing out that v2 was working so if you are going to fail now lets make a clean exit

on other platforms where it works, i see some issues with suspend / resume:upon resuming client.exe is still running and it appears in tray - but nothing happens when you click on it (and https://cryptostorm.is/test fails)so the user must manually test connectivity every time the machine wakes[b]need some way to fail safe[/b] (= no access without VPN)

@justintimeJust as parityboy said, Windows requires more effort to make things more secure/anonymous.It's non-trivial to run DNSCrypt along with OpenVPN while also blocking DNS, WebRTC/STUN/ICE, and IPv6 leaks in Windows.On Linux, it is trivial. Plus, most of the issues that the Windows Widget fixes don't even exist in Linux.

@parityboyMD5 and SHA1 are considered broken, but in order for someone to perform a collision (like if they were able to manipulate the cryptostorm_setup.exe file and wanted to get past integrity checks), they would have to cause the other hashes to change too (md5 collision would change the sha1 and sha512 hashes, sha1 collision would change the md5 and sha512 hashes, etc.). That's why you should check all 3 hashes. Even so, here's the sha256 hash of the last build (v3.0.0.71): d93e388f90b8177f3dcc16365e25c575f1be64df7a6a1b9caca13bbae87f1733

If anyone out there is using one of those programs that only supports MD5 or SHA1, try out https://sourceforge.net/projects/simplehasher/It's free and supports a lot more ciphers (more than I've provided for the .exe actually), and is pretty easy to use.

@justintimeJust as parityboy said, Windows requires more effort to make things more secure/anonymous.It's non-trivial to run DNSCrypt along with OpenVPN while also blocking DNS, WebRTC/STUN/ICE, and IPv6 leaks in Windows.On Linux, it is trivial. Plus, most of the issues that the Windows Widget fixes don't even exist in Linux.

@parityboyMD5 and SHA1 are considered broken, but in order for someone to perform a collision (like if they were able to manipulate the cryptostorm_setup.exe file and wanted to get past integrity checks), they would have to cause the other hashes to change too (md5 collision would change the sha1 and sha512 hashes, sha1 collision would change the md5 and sha512 hashes, etc.). That's why you should check all 3 hashes. Even so, here's the sha256 hash of the last build (v3.0.0.71): d93e388f90b8177f3dcc16365e25c575f1be64df7a6a1b9caca13bbae87f1733

The only reason I'm still including SHA1 and MD5 hashes is that there's a lot of free products (like https://www.microsoft.com/en-us/download/details.aspx?id=11533 ) that only does MD5 and SHA1, and a lot of people are probably using one of those programs.

If anyone out there is using one of those programs that only supports MD5 or SHA1, try out https://sourceforge.net/projects/simplehasher/It's free and supports a lot more ciphers (more than I've provided for the .exe actually), and is pretty easy to use.

Most Linux users know enough to handle their security issues in terms of firewalls, leaks etc. Not only that, but also consider that those security features are in the widget because...Windows. However, you do have a point: as desktop Linux becomes more popular, that popularity will be represented by users who are not as familiar with Linux and network security as us *nix heads are.

[b]@justintime[/b]

Most Linux users know enough to handle their security issues in terms of firewalls, leaks etc. Not only that, but also consider that those security features are in the widget because...Windows. However, you do have a point: as desktop Linux becomes more popular, that popularity will be represented by users who are not as familiar with Linux and network security as us *nix heads are.

I'm a bit shocked/surprised that there is ONLY a windows widget version. CS has always prided itself on being as secure as possible, and I don't understand why that wouldn't include Unix? The windows widget has many added security features...

But anyone who is REALLY concerned with security, is either running it on Linux, or on their router which means they cannot take advantage of any of these extra security enhancements.

I left CS a year ago, waiting for this to be released, but it still hasn't happened yet

It just feels wrong on so many levels.

I'm a bit shocked/surprised that there is ONLY a windows widget version. CS has always prided itself on being as secure as possible, and I don't understand why that wouldn't include Unix? The windows widget has many added security features...

But anyone who is REALLY concerned with security, is either running it on Linux, or on their router which means they cannot take advantage of any of these extra security enhancements.

I left CS a year ago, waiting for this to be released, but it still hasn't happened yet :(

The main feature in this build is better closing of the openvpn process, so your session counter will decrease instantly when you disconnect or exit.In all the previous builds it was doing an 'unclean' kill of that process, which meant the server didn't recognize your disconnect until the server-side openvpn timed out the connection, which takes 2 minutes.Now it should happen instantly, so no more auth failures when you quickly disconnect/reconnect.

The other feature is in Options -> Connecting, you can now specify that 60 second connect timeout to something a little higher if you need more than 60 seconds to connect (like if on bad WiFi).

Up at the usual places, https://cryptostorm.is/cryptostorm_setup.exe and https://b.unni.es/cryptostorm_setup.exe

The main feature in this build is better closing of the openvpn process, so your session counter will decrease instantly when you disconnect or exit.In all the previous builds it was doing an 'unclean' kill of that process, which meant the server didn't recognize your disconnect until the server-side openvpn timed out the connection, which takes 2 minutes.Now it should happen instantly, so no more auth failures when you quickly disconnect/reconnect.

The other feature is in Options -> Connecting, you can now specify that 60 second connect timeout to something a little higher if you need more than 60 seconds to connect (like if on bad WiFi).

Well, I fixed it.Windows Settings, Network & Internet, in the Status tab all the way at the bottom click "Network reset". It auto reboots the system and then after that it was fixed.Sorry for the confusion, and for cluttering your thread here when the problem was on my end.

PS I ended up buying a 1 year token with CS. Very impressive service. Nothing else came close after extensive research and testing.

Well, I fixed it.Windows Settings, Network & Internet, in the Status tab all the way at the bottom click "Network reset". It auto reboots the system and then after that it was fixed.Sorry for the confusion, and for cluttering your thread here when the problem was on my end.

PS I ended up buying a 1 year token with CS. Very impressive service. Nothing else came close after extensive research and testing.

Some other weird things about it:My connection to the internet works if I also go down a digit as well. So, if I changed ***.**.147.76 to ***.**.147.75 That change also repairs the connection. So one digit either up or down makes it work

When I use the v3 client to connect at the end I get the green bar that says I'm connected and no errors are reported even though I cannot browse the internet with any standard browser. Firefox, Microsoft Edge, Brave Browser all don't work. Tor Browser however, does work even before any changes are made by me manually to the Primary DNS IP address.

The only thing that I've installed recently was mullvad's windows client, in order to compare VPN services. That has since been completely uninstalled and the system has been rebooted, and the problem remains.

Some other weird things about it:My connection to the internet works if I also go down a digit as well. So, if I changed ***.**.147.76 to ***.**.147.75 That change also repairs the connection. So one digit either up or down makes it work

When I use the v3 client to connect at the end I get the green bar that says I'm connected and no errors are reported even though I cannot browse the internet with any standard browser. Firefox, Microsoft Edge, Brave Browser all don't work. Tor Browser however, does work even before any changes are made by me manually to the Primary DNS IP address.

The only thing that I've installed recently was mullvad's windows client, in order to compare VPN services. That has since been completely uninstalled and the system has been rebooted, and the problem remains.

@KharizThe widget does manually set the DNS if DNSCrypt is enabled. Everything else is done via TAP, but there might be some code still in there that's leftover from before --block-outside-dns was implemented into OpenVPN, back when the widget had to do the DNS leak blocks itself.

@crimghostThat is very weird. There's nothing in the code that does any sort of math against any DNSCrypt server IP, and the DNS server IP you get when you connect is pushed directly from the server... You sure you're not running any other software that might be modifying your DNS settings?

@KharizThe widget does manually set the DNS if DNSCrypt is enabled. Everything else is done via TAP, but there might be some code still in there that's leftover from before --block-outside-dns was implemented into OpenVPN, back when the widget had to do the DNS leak blocks itself.

@crimghostThat is very weird. There's nothing in the code that does any sort of math against any DNSCrypt server IP, and the DNS server IP you get when you connect is pushed directly from the server... You sure you're not running any other software that might be modifying your DNS settings?

I find that exceptionally weird considering the fact that the widget should not be manually setting the DNS IP to the actual servers IP address anyway, it should be sending it to the tap adapter gateway. I wonder if some setting is being pushed differently from the servers than it used to be.

I find that exceptionally weird considering the fact that the widget should not be manually setting the DNS IP to the actual servers IP address anyway, it should be sending it to the tap adapter gateway. I wonder if some setting is being pushed differently from the servers than it used to be.

I've run into a problem where when I connect to Cryptostorm service, no matter which server I connect to, the v3 client sets my preferred DNS server 1 digit too low. So my browser cannot connect to the internet until I go into Windows 10 settings and manually increase the final digit on the right 1 digit higher than client v3 sets it automatically.To be clear if client v3.0.0.67 sets my preferred DNS to ***.**.147.76 I cannot connect until I go in and manually set my preferred DNS to ***.**.147.77 instead. Every server I've tried works fine once I make this change though.

I've run into a problem where when I connect to Cryptostorm service, no matter which server I connect to, the v3 client sets my preferred DNS server 1 digit too low. So my browser cannot connect to the internet until I go into Windows 10 settings and manually increase the final digit on the right 1 digit higher than client v3 sets it automatically.To be clear if client v3.0.0.67 sets my preferred DNS to ***.**.147.76 I cannot connect until I go in and manually set my preferred DNS to ***.**.147.77 instead. Every server I've tried works fine once I make this change though.

@marzametalEh, I haven't been maintaining the previous versions though since these v3 betas were never really intended to be released, at least not until it got out of beta. So each new build is uploaded to the same place, overwriting the previous. The only way to get .66 would be if you already downloaded it and still have it saved, or if I built a new .68 that used ovpn 2.4 instead of 2.3.

@marzametalEh, I haven't been maintaining the previous versions though since these v3 betas were never really intended to be released, at least not until it got out of beta. So each new build is uploaded to the same place, overwriting the previous. The only way to get .66 would be if you already downloaded it and still have it saved, or if I built a new .68 that used ovpn 2.4 instead of 2.3.

Khariz wrote:I'm keeping the 2.4 widget. It works great for me on Windows 10. I just keep answering no when it asks me to "upgrade" to 2.3

Maybe you could roll back to .66 which has 2.4... saves you clicking No all the time.

[quote="Khariz"]I'm keeping the 2.4 widget. It works great for me on Windows 10. I just keep answering no when it asks me to "upgrade" to 2.3[/quote]Maybe you could roll back to .66 which has 2.4... saves you clicking No all the time.

I can't explain.....but I just downloaded the v3 widget again and I'm now connected and the screen shot below is showing green. Thanks for all your work and responses. I'm just happy this is finally working.

I can't explain.....but I just downloaded the v3 widget again and I'm now connected and the screen shot below is showing green. Thanks for all your work and responses. I'm just happy this is finally working.[img]http://www.steemimg.com/images/2017/02/10/working7886f.jpg[/img]

Tested with somebody, and for whatever reason OpenVPN 2.4.0 kept crashing on them.So I just released v3.0.0.67 that's downgraded to OpenVPN 2.3.14, it'll most likely fix this issue for anyone else still having problems with v3.0.0.66.

Tested with somebody, and for whatever reason OpenVPN 2.4.0 kept crashing on them.So I just released v3.0.0.67 that's downgraded to OpenVPN 2.3.14, it'll most likely fix this issue for anyone else still having problems with v3.0.0.66.

It sounds like people had problems with the csvpn.exe (openvpn 2.4.0) that got pushed in the last update.It worked for me on Win10, but just in case I reuploaded the same openvpn/openssl binaries/libraries that I had locally onto all the servers so that they would get pushed instead.

For those still having this issue, uninstall/reinstall v3.0.0.66 and connect, then accept the update when it pops up and it should upgrade to openvpn 2.4.0 + openssl 1.0.2k just fine.

If you're still getting stuck at "Logging into darknet" even after trying the above, my guess is that you have an AV program running in the background that's deleting csvpn.exe or ossl.exe after it gets downloaded because the action appears to be malicious (granted, it is suspicious for a .exe to get downloaded like that). So if you've got any sort of AV running, add "C:\Program Files (x86)\Cryptostorm Client\" to your exclusion list.

It sounds like people had problems with the csvpn.exe (openvpn 2.4.0) that got pushed in the last update.It worked for me on Win10, but just in case I reuploaded the same openvpn/openssl binaries/libraries that I had locally onto all the servers so that they would get pushed instead.

For those still having this issue, uninstall/reinstall v3.0.0.66 and connect, then accept the update when it pops up and it should upgrade to openvpn 2.4.0 + openssl 1.0.2k just fine.

If you're still getting stuck at "Logging into darknet" even after trying the above, my guess is that you have an AV program running in the background that's deleting csvpn.exe or ossl.exe after it gets downloaded because the action appears to be malicious (granted, it is suspicious for a .exe to get downloaded like that). So if you've got any sort of AV running, add "C:\Program Files (x86)\Cryptostorm Client\" to your exclusion list.

I have the same problem as the others above. After some auto update yesterday it stopped working. I have reinstalled (build 3.0.0.66)and so on but it dosent work and i am using Win10. Someone wrote that it worked on Win10... not for me. Same error it loads and then stoppes on logging into darknet.. then only reconnect every 60 sek. I have checked my key and it is still valid for 45 Days.

I have the same problem as the others above. After some auto update yesterday it stopped working. I have reinstalled (build 3.0.0.66)and so on but it dosent work and i am using Win10. Someone wrote that it worked on Win10... not for me. Same error it loads and then stoppes on logging into darknet.. then only reconnect every 60 sek. I have checked my key and it is still valid for 45 Days.

I've been using widget v3 for months and it has been solid. All of a sudden last night it automatically stalled on connection. I tried to restart it and it kept coming back with the yellow bar 'took longer than 60 seconds to connect'.

I've now completed all of the task below with the same yellow bar continuing to plague me:updated nodesrestarted the widgetinstalled the widget all over againrestarted my computer

If anyone has any updates on why this could be happening I'd greatly appreciate it. I have to admit that since August when I purchased I feel like I've had a lot of problems and not much on the way of help.

I've been using widget v3 for months and it has been solid. All of a sudden last night it automatically stalled on connection. I tried to restart it and it kept coming back with the yellow bar 'took longer than 60 seconds to connect'.

I've now completed all of the task below with the same yellow bar continuing to plague me:updated nodesrestarted the widgetinstalled the widget all over againrestarted my computer

If anyone has any updates on why this could be happening I'd greatly appreciate it. I have to admit that since August when I purchased I feel like I've had a lot of problems and not much on the way of help.

I was on a previous v3 build, and since several updates happened within the widget, I’m not able to use a v3 build any more – well, I just have the v3.0.0.66 to test.It stops at the “Logging into the darknet” step, no log is visible, just a black square.Is there a way to get the log elsewhere?Widget v2.22 is working.

Thanks in advance for any help.

I am having the same issue. Tracked it down to csvpn.exe (the openvpn version - openvpn.exe after renaming to csvpn.exe also misbehaves)

[quote="bricus"]Hi,

I was on a previous v3 build, and since several updates happened within the widget, I’m not able to use a v3 build any more – well, I just have the v3.0.0.66 to test.It stops at the “Logging into the darknet” step, no log is visible, just a black square.Is there a way to get the log elsewhere?Widget v2.22 is working.

Thanks in advance for any help.[/quote]I am having the same issue. Tracked it down to csvpn.exe (the openvpn version - openvpn.exe after renaming to csvpn.exe also misbehaves)

I was on a previous v3 build, and since several updates happened within the widget, I’m not able to use a v3 build any more – well, I just have the v3.0.0.66 to test.It stops at the “Logging into the darknet” step, no log is visible, just a black square.Is there a way to get the log elsewhere?Widget v2.22 is working.

Thanks in advance for any help.

Hi,

I was on a previous v3 build, and since several updates happened within the widget, I’m not able to use a v3 build any more – well, I just have the v3.0.0.66 to test.It stops at the “Logging into the darknet” step, no log is visible, just a black square.Is there a way to get the log elsewhere?Widget v2.22 is working.

@JJThat's intended. The widget detects hibernate/suspend and disconnects the VPN since internet gets killed anyways when that happens. When the computer wakes up, the widget detects that too and will reconnect the VPN if you were connected before the hibernate. If you weren't connected to the VPN before hibernate, it'll still set the DNS to the local DNSCrypt server (127.0.0.1), unless you have DNSCrypt disabled.

@Everyone elseLatest widget build is v3.0.0.66, which fixes a small bug where when auto-updating the dnscrypt-resolvers.csv file, it would delete the openssl + openvpn .exe's too if also upgrading those.There was a v3.0.0.65 that was on the web site for about a minute, but it was quickly removed because of a bug where the upgrade process broke due to a temporary directory not being created correctly. So if anyone downloaded it in the short time it was there, upgrade to v3.0.0.66.

Side note:Right now I'm trying to change the node list update code since it still does a simple/lazy grab of https://cryptostorm.nu/nodelist3.txt , which means if cryptostorm.nu goes down or someone is able to do an HTTPS MitM against you, you won't be able to update your node list (or in the MiTM case, someone could point you to a malicious VPN server). I think a solution to that problem would be to only allow updating of the node list after connected to the VPN, so it would grab nodelist3.txt from a local copy stored on node itself, via the VPN tunnel. For people who don't have tokens yet, the feature would also work on Cryptofree.

And yes, I still plan on adding a killswitch function in the near future. If I can't get the code I'm working on now to play nicely with Windows, or if it's going to end up taking much longer than it already has, I'll most likely just slap together something using WFP or Windows Firewall. Not as efficient as I'd like, but it would be functional enough for most people.

@JJThat's intended. The widget detects hibernate/suspend and disconnects the VPN since internet gets killed anyways when that happens. When the computer wakes up, the widget detects that too and will reconnect the VPN if you were connected before the hibernate. If you weren't connected to the VPN before hibernate, it'll still set the DNS to the local DNSCrypt server (127.0.0.1), unless you have DNSCrypt disabled.

@Everyone elseLatest widget build is v3.0.0.66, which fixes a small bug where when auto-updating the dnscrypt-resolvers.csv file, it would delete the openssl + openvpn .exe's too if also upgrading those.There was a v3.0.0.65 that was on the web site for about a minute, but it was quickly removed because of a bug where the upgrade process broke due to a temporary directory not being created correctly. So if anyone downloaded it in the short time it was there, upgrade to v3.0.0.66.

Included is the latest nodelist, dnscrypt resolvers, openssl, and openvpn.As usual, the latest build can be found at https://cryptostorm.is/cryptostorm_setup.exe or https://b.unni.es/cryptostorm_setup.exe

Side note:Right now I'm trying to change the node list update code since it still does a simple/lazy grab of https://cryptostorm.nu/nodelist3.txt , which means if cryptostorm.nu goes down or someone is able to do an HTTPS MitM against you, you won't be able to update your node list (or in the MiTM case, someone could point you to a malicious VPN server). I think a solution to that problem would be to only allow updating of the node list after connected to the VPN, so it would grab nodelist3.txt from a local copy stored on node itself, via the VPN tunnel. For people who don't have tokens yet, the feature would also work on Cryptofree.

And yes, I still plan on adding a killswitch function in the near future. If I can't get the code I'm working on now to play nicely with Windows, or if it's going to end up taking much longer than it already has, I'll most likely just slap together something using WFP or Windows Firewall. Not as efficient as I'd like, but it would be functional enough for most people.

In addition to my earlier message: it looks as if there is also something with the widget. Not sure if that's the case, but when my laptop restarts after a hibernate mode, the DNS-server setting of my network adapter is changed in a local one: 127.0.0.1. With the widget activated the adapter setting on IP4 is the CS DNS-server of the country I selected.

In addition to my earlier message: it looks as if there is also something with the widget. Not sure if that's the case, but when my laptop restarts after a hibernate mode, the DNS-server setting of my network adapter is changed in a local one: 127.0.0.1. With the widget activated the adapter setting on IP4 is the CS DNS-server of the country I selected.

df wrote:@JJIt looks like dnscrypt is running correctly. I guess try doing the same thing the widget would do (from cmd):nslookup windows-balancer.cstorm.pw 127.0.0.1That'll lookup the first windows balancer against dnscrypt.

But as Khariz said, you could just disable dnscrypt since you're not facing any adversaries that are capable of causing problems via DNS.

OK. Thamks for this information. In the meantime (after hours of frustration and trial and error) I found out that my Kaspersky Internet Security was responsible for these problems. After consulting their Support crew I found a solution that is working with DNS-crypt enabled. Thanks for your support and keep up the good work.

[quote="df"]@JJIt looks like dnscrypt is running correctly. I guess try doing the same thing the widget would do (from cmd):nslookup windows-balancer.cstorm.pw 127.0.0.1That'll lookup the first windows balancer against dnscrypt.

But as Khariz said, you could just disable dnscrypt since you're not facing any adversaries that are capable of causing problems via DNS.[/quote]

OK. Thamks for this information. In the meantime (after hours of frustration and trial and error) I found out that my Kaspersky Internet Security was responsible for these problems. After consulting their Support crew I found a solution that is working with DNS-crypt enabled. Thanks for your support and keep up the good work.

@Guest404Probably not very soon, I'm still working on the widget for Windows.But I do plan on starting a Linux widget after v3 is officially released, which shouldn't be long now.

When I do begin the Linux widget, I'll probably just start from the Windows widget's code and begin hacking off a big portion of the code since a lot of it is unnecessary on Linux because Linux handles certain things in a sane manner (process signals, threading, a non-horrible firewall, etc.).

@Guest404Probably not very soon, I'm still working on the widget for Windows.But I do plan on starting a Linux widget after v3 is officially released, which shouldn't be long now.

When I do begin the Linux widget, I'll probably just start from the Windows widget's code and begin hacking off a big portion of the code since a lot of it is unnecessary on Linux because Linux handles certain things in a sane manner (process signals, threading, a non-horrible firewall, etc.).

@JJIt looks like dnscrypt is running correctly. I guess try doing the same thing the widget would do (from cmd):nslookup windows-balancer.cstorm.pw 127.0.0.1That'll lookup the first windows balancer against dnscrypt.

But as Khariz said, you could just disable dnscrypt since you're not facing any adversaries that are capable of causing problems via DNS.

@JJIt looks like dnscrypt is running correctly. I guess try doing the same thing the widget would do (from cmd):nslookup windows-balancer.cstorm.pw 127.0.0.1That'll lookup the first windows balancer against dnscrypt.

But as Khariz said, you could just disable dnscrypt since you're not facing any adversaries that are capable of causing problems via DNS.

@JJIt could also be that something else (an AV maybe?) is closing dnscrypt-proxy.exe for whatever reason.Either that or dnscrypt-proxy is spitting out an unexpected error.A way to test would be to open up a cmd prompt as Administrator and run:

As for disabling dnscrypt, it will make your pre-connect DNS requests less secure, but it's highly unlikely that an attacker would be able to do anything more than a DoS against you (maybe to prevent you from accessing the VPN).

@JJIt could also be that something else (an AV maybe?) is closing dnscrypt-proxy.exe for whatever reason.Either that or dnscrypt-proxy is spitting out an unexpected error.A way to test would be to open up a cmd prompt as Administrator and run:

As for disabling dnscrypt, it will make your pre-connect DNS requests less secure, but it's highly unlikely that an attacker would be able to do anything more than a DoS against you (maybe to prevent you from accessing the VPN).

@df Thanks for your response. I do not have a local DNS-server/proxy etc.. Is the widget adapted to block when this is the case?What is the risk of disabling DNS-crypt?? I understood that it was meant to improve privacy/security. What if it is permanently disabled?

@df Thanks for your response. I do not have a local DNS-server/proxy etc.. Is the widget adapted to block when this is the case?What is the risk of disabling DNS-crypt?? I understood that it was meant to improve privacy/security. What if it is permanently disabled?

@JJThe only thing I can think of that would cause that is if something else is already listening on 127.0.0.1:53 (such as a local DNS server/proxy/cache). Currently, the widget doesn't check to make sure port 53 is available on 127.0.0.1.I'll add that to the next build, so if something is using that port already, it'll popup a message telling you about it then it'll disable DNSCrypt. Maybe if it doesn't add too much additional code, I could also have it tell you which program is already listening on 127.0.0.1:53.

@JJThe only thing I can think of that would cause that is if something else is already listening on 127.0.0.1:53 (such as a local DNS server/proxy/cache). Currently, the widget doesn't check to make sure port 53 is available on 127.0.0.1.I'll add that to the next build, so if something is using that port already, it'll popup a message telling you about it then it'll disable DNSCrypt. Maybe if it doesn't add too much additional code, I could also have it tell you which program is already listening on 127.0.0.1:53.

OK. Another few hours of puzzling. Just found out that when I disable DSN-crypt in the widget, it is possible to connect to CS VPN without any errors. What does this mean? Is there an error in the DNS-crypt list? Or?

OK. Another few hours of puzzling. Just found out that when I disable DSN-crypt in the widget, it is possible to connect to CS VPN without any errors. What does this mean? Is there an error in the DNS-crypt list? Or?

@marzametalMany thanks for your thorough response. For me it is rather technical, (too technical) so I am not sure if I understand it all correct. But I use Kaspersky Internet Security. So far never had a problem with it. Wonder why this schould be the case with widget3 and off course, what I can do about it.

@marzametalMany thanks for your thorough response. For me it is rather technical, (too technical) so I am not sure if I understand it all correct. But I use Kaspersky Internet Security. So far never had a problem with it. Wonder why this schould be the case with widget3 and off course, what I can do about it.

I make use of Windows Firewall with Advanced Security, but I use a 3rd party app called Windows Firewall Control to act as an interface for WFwAS for the purposes of monitoring connection logs, and a 3rd party app called Acrylic DNS Proxy to handle DNS (along with wildcards in Hosts file).

NOTE: WFwAS does not provide such logging capabilites... one would have to navigate to "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" to see any resemblance of a connection log... very ugly looking, but it is plain text after all...

Essentially, it would be a guessing game to figure this out without firewall connection logs. Hence why I asked at the beginning of this post about your firewall software.

I have attached a print screen of my rules for an exit node, along with DHCP rules. The NLA Outbound Snooping rule (tied to Network Location Awareness Service) and the Crypto Outbound Snooping rule (tied to Cryptographic Services Service) are there, but are denied via a global Block Rule. The other rules are active when connecting to said exit node. Also, disregard the rule for Acrylic.

I will keep an eye on this thread for any of your replies... very interesting as to why you are having dramas.

Cheers.

P.S.: In regards to router, I have replaced my ISP DNS entries with CS DNS entries, and before I started using Acrylic DNS Proxy, I would have included two CS DNS addresses for ISP connection, but left the TAP Adapter DNS fields to populate automatically.

P.S.: Just remembered there is also an outbound rule for "C:\Program Files (x86)\Cryptostorm Client\bin\csvpn.exe"...

My approach is tedious, but once set up, it allows for transparency because the rules that are active only apply for the exit node that I am connecting to. I could provide more details, but will wait for a response so we are on the same page. Good luck buddy!

Attachments

CSVpn.exe

Rules...

What firewall do you use? Maybe I can think of something...

I make use of Windows Firewall with Advanced Security, but I use a 3rd party app called Windows Firewall Control to act as an interface for WFwAS for the purposes of monitoring connection logs, and a 3rd party app called Acrylic DNS Proxy to handle DNS (along with wildcards in Hosts file).

NOTE: WFwAS does not provide such logging capabilites... one would have to navigate to "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" to see any resemblance of a connection log... very ugly looking, but it is plain text after all...

Essentially, it would be a guessing game to figure this out without firewall connection logs. Hence why I asked at the beginning of this post about your firewall software.

I have attached a print screen of my rules for an exit node, along with DHCP rules. The NLA Outbound Snooping rule (tied to Network Location Awareness Service) and the Crypto Outbound Snooping rule (tied to Cryptographic Services Service) are there, but are denied via a global Block Rule. The other rules are active when connecting to said exit node. Also, disregard the rule for Acrylic.

I will keep an eye on this thread for any of your replies... very interesting as to why you are having dramas.

Cheers.

P.S.: In regards to router, I have replaced my ISP DNS entries with CS DNS entries, and before I started using Acrylic DNS Proxy, I would have included two CS DNS addresses for ISP connection, but left the TAP Adapter DNS fields to populate automatically.

P.S.: Just remembered there is also an outbound rule for "C:\Program Files (x86)\Cryptostorm Client\bin\csvpn.exe"...

My approach is tedious, but once set up, it allows for transparency because the rules that are active only apply for the exit node that I am connecting to. I could provide more details, but will wait for a response so we are on the same page. Good luck buddy!

marzametal wrote:The scenario in the above post happened to me as well...

It turns out that the widget defaults to a specific exit node after install/update, and unless the end user picks it up by checking connection logs, he/she will throw a fit because s**t doesn't work.

For me, it was one of the US nodes, off the top of my head, cannot remember which one.

Hey Marzametal: really interested in what connection logs I will have to check. Looks like it has nothing to do with DNS-settings. Would expect every location to have a problem then. But that is not the case. So it seems like another problem. Hope you can give me a clue.

[quote="marzametal"]The scenario in the above post happened to me as well...

It turns out that the widget defaults to a specific exit node after install/update, and unless the end user picks it up by checking connection logs, he/she will throw a fit because s**t doesn't work.

For me, it was one of the US nodes, off the top of my head, cannot remember which one.[/quote]

Hey Marzametal: really interested in what connection logs I will have to check. Looks like it has nothing to do with DNS-settings. Would expect every location to have a problem then. But that is not the case. So it seems like another problem. Hope you can give me a clue.

No succes so far. Changing DNS setting to OpenDNS of CS-adresses does not work. Widget keeps displaying the message that it is impossible to resolve the server in the specific country. Did not try all the countries, but at least 5. All the same errors.

No succes so far. Changing DNS setting to OpenDNS of CS-adresses does not work. Widget keeps displaying the message that it is impossible to resolve the server in the specific country. Did not try all the countries, but at least 5. All the same errors.

@JJOld and new widget work fine in my tests.Most likely your DNS settings were changed somehow, you'll need to restore them to their default settings in order to be able to resolve stuff again.https://www.opennicproject.org/configur ... windows-7/ and other sites you can find via Googling "windows dns change" have instructions for doing so.

In the latest v3 widget build, DNS settings are saved to a file when the program starts up, so if the widget ever crashes (leaving DNS in an unusable state), all that's needed to restore DNS settings is to run the widget again.

EDIT:tldr, what Khariz said

@JJOld and new widget work fine in my tests.Most likely your DNS settings were changed somehow, you'll need to restore them to their default settings in order to be able to resolve stuff again.https://www.opennicproject.org/configure-your-dns/how-to-change-dns-servers-in-windows-7/ and other sites you can find via Googling "windows dns change" have instructions for doing so.

In the latest v3 widget build, DNS settings are saved to a file when the program starts up, so if the widget ever crashes (leaving DNS in an unusable state), all that's needed to restore DNS settings is to run the widget again.